Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Secure & best practice of file & folder sharing between laptops & PCs

Posted on 2016-07-18
Medium Priority
Last Modified: 2016-07-26
I'm drafting something for IT guys if they want to share their files/info within the team
& we don't have SharePoint currently.

For sure, passwords & sensitive info like payslips must not be shared this way.

Besides sharing out explicitly using NTFS permissioning (I think this is equivalent of
using icacls), what other measures should we undertake?

a) is a network share  (ie Windows  'net share sharename=c:\myfolder' ) encrypted?
b) how can we prevent domain admins from accessing the information/file/folder?
c) should we set up firewall rules to permit only ppl within same team (say
    netadmins) to access the share?  But we have an issue in that some of the
    PCs are on DHCP (ie non static IP)
d) any other measures?
Question by:sunhux
  • 3
  • 2
  • 2
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points
ID: 41718169
Disk level Encryption will not work as the share will be un-encrypted over the share.
use groups for share permissions and get granular with ntfs permissions
domain admins are by definition local admins so even a deny for domainadmins group can be overridden easily.
c cannot be done easily.

you could use winzip / winrar /7zip to encrypt the files and only the users that should have permissions have the password

Author Comment

ID: 41719019
is it a good practice to use Windows Firewall to permit PCs of specific IP range to access
as in our case, our IT dept uses a specific range of DHCP IP while users of each dept
uses different range.

What's the Tcp & Udp ports used by Windows "net share " & can we customize these
ports to use some other ports (just like some Ssh server, Ftp server can be made to
listen on different ports).

So when data is copied over from a Windows Network share, it's not encrypted?
LVL 65

Accepted Solution

btan earned 1000 total points
ID: 41719181
Even the NTFS permission is a huge chunk to ensure not only access right but be role based (security group like Department or Job) specific to determine who can (identity assigned) and to what resource (file & folder) with what permission given (right mgmt. if poss otherwise ACL using least privileged to do the job)- you can catch it here https://technet.microsoft.com/en-us/library/cc780313(v=ws.10).aspx

one problem faced with file shares which is not about ACL or having right mgmt. enforced in document but it is the manageability of "Folder Spread" - multiple folder and file created at root folder overloads not only the system resource of indexing but also hard to track security activities
and in fact make it easier for Ransomware to spread to all folder and files from the root by enumerating for each file server instance. We need to limit exposure assuming the event infection or malware start to propagate and jump from server to server to spread infection. So practice is for
- root folder (administrator, read only root-level folder)
-- "horizontal" folder mgmt  with logical restricted no of child folder (limit to max 10 folders and each is based on unique department purpose)
-- "vertical" folder/file mgmt. to limit to the file path not to be more than the 255 char naming length (do not advocate too deep of folder as data can be lost easily when it is missed out for backup of targeted backup of certain data type, it reduce the file I/O access too)

- Have an overall access matrix to chart the security assignment to the file shares (as the resource)
- Be able to mapped to the central security group and user assigned as well as the file share in the authorized system.
- Have audit trails for access enabled
- Separate critical or time sensitive folder out into other server or mapped into other drive.
- Differentiate between classified and non-classified information and further restrict access to public access (enterprise level) and private (dept, team, user level)
- Set permission once the folder access level is determine to separate read-only and working (writable)within the mapped shares
- Avoid over segregation of folder such as "folder spread" and minimize the depth of folder with limited path name (use easily interpreted naming to determine its purpose)

I heard of the use of decoy folder purpose to make the Ransomware work hard such that it keep enumerating into the sub-folder - in a sense lost in the maze - such that alert of such anomalous access can be trigger centrally for quick response...
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!


Author Comment

ID: 41719634
> - Have audit trails for access enabled
Could point me to a link which give instructions on enabling audit trail/logging if a shared
folder or file(s) are being accessed (copied, read, edited & deleted)?

> classified and non-classified information
So admin passwords (of servers, domain admin, firewalls etc) should not be shared, while network diagrams,
IP address list is classified while documents meant for corporate-wide viewing (say Security Policy) is non-

> use of decoy folder purpose to make the Ransomware work hard
We have quite a number of ransomware attacks, so will be nice to elaborate this
LVL 65

Assisted Solution

btan earned 1000 total points
ID: 41720086
A PDF guide that provides step-wise instructions to enable auditing on file server and track every changes into real time - http://www.lepide.com/guide/enable-file-folder-access-auditing.pdf

Classification is based on context and owner discretion to the level of protection. There should be level of classification amd guidance on classifying information and not a wild guess. Thise ip address and network diagram are unique to your enterpriae and should be treated with strict confidence esp when it is wide enterprise used. Everyone in enterprise access does not means it is non classified. They are different matter in fact it is even more pertinent to emphasis to treat these corporate info as privileged info.

A good read on tje anti Ransomware strategy include decoy files and recursive folder
Another way of impeding ransomware was proposed on the Free Forensics blog. This method involves setting up infinitely-recursive directories by taking advantage of certain features of the Windows file system. Ransomware that attempts to traverse the file system to locate the files it needs to encrypt will get stuck in such a sinkhole, giving the victim the opportunity to react to the infection.
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points
ID: 41726171
So when data is copied over from a Windows Network share, it's not encrypted? It can be if using SMB 3.0. The default is not encrypted since it has considerable overhead

The ports are fixed (port 445) and defined by IANA
LVL 65

Expert Comment

ID: 41726185
To add on classification for enterprise wide info, they can be only for internal reading and not public access so rightfully, it should be classified as Restricted minimally. Security policy is classified as Restricted in that sense. If there is need to share classified info, the advice is to declassified and sanitised before sharing with external parties esp the contractor. Otherwise, strict handlibg must be authorised and oversee by the enterprise staff.

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ITIL has an elaborate incident management framework. This article serves as a starter for those who'd like to know more or need to suss out the baseline elements in a typical incident response execution plan on the "need to have" and the "good to ha…
Although free tools can be helpful to a limited extent, it’s better to stick to paid versions for business use.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question